Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11d70c953105fbe55c6459bc0fd6aaa544d1b419
documentation/audits/2026-06-02-truenas-security-audit.md
F.R.I.D.A.Y. ce06f845e0 Add TrueNAS security audit report - 2026-06-02
2026-06-02 08:31:47 -04:00

275 lines
9.7 KiB
Markdown
Raw Blame History

# TrueNAS Security Audit Report
**Server:** beelink-tns (192.168.16.254) | **Version:** TrueNAS Scale 25.10.2 | **Date:** 2026-06-02
**Auditor:** F.R.I.D.A.Y. | **Scope:** Read-only review — no changes made
---
## Executive Summary
| Area | Status | Notes |
|------|--------|-------|
| SMB Shares | ⚠️ Review Needed | 7 shares, Guest access disabled (good), but POSIX permissions on some shares are overly permissive |
| NFS Shares | ⚠️ Review Needed | 4 shares open to all networks, no root squash on any share |
| User Access | ✅ Controlled | Only 3 custom users have SMB access |
| Services | ✅ Healthy | CIFS, NFS, SSH running; FTP/iSCSI/SNMP disabled |
| Pools | ✅ Healthy | Both pools online |
---
## 1. System Overview
| Property | Value |
|----------|-------|
| Hostname | beelink-tns |
| Version | TrueNAS Scale 25.10.2 |
| Hardware | Intel N95, 4 cores, 11.5 GB RAM |
| Uptime | 15 days |
| Pools | 2 (FastPool 0.91 TB, Ice 3.62 TB) |
| Datasets | 55 total |
| VMs | 0 configured |
**Running Services:**
- `cifs` — RUNNING
- `nfs` — RUNNING
- `ssh` — RUNNING
**Disabled Services:**
- `ftp` — STOPPED
- `iscsitarget` — STOPPED
- `snmp` — STOPPED
- `ups` — STOPPED
- `nvmet` — STOPPED
---
## 2. SMB Shares (7 Total)
All SMB shares have **Guest OK = False** ✅ — no anonymous access.
| # | Share Name | Path | POSIX Mode | Owner | Group | ACL | Security Notes |
|---|------------|------|------------|-------|-------|-----|----------------|
| 1 | **Archive** | /mnt/Ice/Archive | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
| 2 | **Backup** | /mnt/Ice/Backup | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
| 3 | **ISOs** | /mnt/Ice/ISOs | 777 | `src` | `src` | Enabled | Bobby + libvirt-qemu have explicit entries |
| 4 | **lab-dash** | /mnt/FastPool/dockge/configs/lab-dash | 777 | `src` | `src` | Enabled | builtin_users + builtin_administrators groups |
| 5 | **Repo** | /mnt/Ice/Repo | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
| 6 | **arr-zimaos** | /mnt/Ice/Backup/Arr-ZimaOS | 777 | `src` | `src` | Enabled | Bobby has explicit entry |
| 7 | **hermes_agent** | /mnt/FastPool/dockge/configs/hermes_agent | 751 | `apps` | `apps` | Disabled | Owner RWX, Group RX, Other X |
### POSIX Mode Interpretation
- **777** = Owner, Group, and Other all have Read, Write, Execute
- **751** = Owner has RWX, Group has RX, Other has Execute only
### SMB-Authorized Users
Only 3 custom users have SMB enabled:
| Username | UID | Home | SMB | Groups |
|----------|-----|------|-----|--------|
| `jumpbox` | 3000 | /var/empty | ✅ | GID 3000 (jumpbox) |
| `bobby` | 3001 | /var/empty | ✅ | GID 3001 (bobby) |
| `jarvis` | 1000 | /mnt/FastPool/home/jarvis | ✅ | GID 40 (src), GID 3002 (jarvis) |
**Key Finding:** All custom SMB users belong to the `src` group (GID 40). Since most shares are owned by `src:src` with mode 777, **all 3 SMB users have full read/write access to Archive, Backup, ISOs, lab-dash, Repo, and arr-zimaos.**
### SMB ACL Details
**Archive:**
- `owner@` — RWX
- `group@` — RWX
- `everyone@` — No access
- ACL disabled; POSIX 777 is effective permission
**Backup:**
- `owner@` — RWX
- `group@` — RWX
- `everyone@` — RWX ⚠️
- ACL disabled; POSIX 777 grants world access
**ISOs:**
- `owner@` — No access
- `group@` — No access
- `everyone@` — No access
- `USER:3001 (bobby)` — explicit entry
- `USER:986 (libvirt-qemu)` — explicit entry
- ACL enabled; effective access determined by ACL evaluation
**lab-dash:**
- `owner@` — No access
- `group@` — No access
- `GROUP:545 (builtin_users)` — explicit entry
- `GROUP:544 (builtin_administrators)` — explicit entry
- ACL enabled; effective access determined by ACL evaluation
**Repo:**
- `owner@` — RWX
- `group@` — RWX
- `everyone@` — RWX ⚠️
- ACL disabled; POSIX 777 grants world access
**arr-zimaos:**
- `owner@` — No access
- `group@` — No access
- `everyone@` — No access
- `USER:3001 (bobby)` — explicit entry
- ACL enabled; effective access determined by ACL evaluation
**hermes_agent:**
- `USER_OBJ` — X only
- `GROUP_OBJ` — X only
- `OTHER` — X only
- POSIX 751; ACL disabled
---
## 3. NFS Shares (7 Total)
| # | Path | Networks | Read-Only | Root Squash | Notes |
|---|------|----------|-----------|-------------|-------|
| 1 | /mnt/Ice/Archive | ALL | No | No ⚠️ | Open to all networks |
| 2 | /mnt/Ice/Backup | ALL | No | No ⚠️ | Open to all networks |
| 3 | /mnt/Ice/ISOs | ALL | No | No ⚠️ | Open to all networks |
| 4 | /mnt/Ice/Repo | ALL | No | No ⚠️ | Open to all networks |
| 5 | /mnt/Ice/Backup/proxmox-pool/ds-mp-share | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
| 6 | /mnt/Ice/Backup/proxmox-pool/pve-ct-stor | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
| 7 | /mnt/Ice/Backup/proxmox-pool/pve-vm-stor | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
### NFS Security Concerns
1. **4 shares open to all networks** (Archive, Backup, ISOs, Repo) — any host on any network can mount
2. **No root squash on any share** — root on client = root on server
3. **No read-only restrictions** — all shares allow writes
4. **No maproot/mapall user set** — NFS clients access with their native UIDs
### NFS Recommendations
- **Restrict networks:** Add `192.168.0.0/18` (or narrower) to Archive, Backup, ISOs, Repo
- **Enable root squash:** Set `Maproot User = root` or `Maproot User = nobody` on all shares
- **Consider read-only** for Archive and ISOs if they don't need writes
- **Add host restrictions** for sensitive shares (Backup, Repo)
---
## 4. User & Group Analysis
### Custom Users (4 total)
| User | UID | SMB | Sudo | Groups | Purpose |
|------|-----|-----|------|--------|---------|
| `truenas_admin` | 950 | No | No | src, truenas_admin | Local admin account |
| `jumpbox` | 3000 | ✅ | No | jumpbox | Jumpbox/automation user |
| `bobby` | 3001 | ✅ | No | bobby | Primary user |
| `jarvis` | 1000 | ✅ | No | src, jarvis | Primary automation user |
### Relevant Groups
| GID | Group | Members | Notes |
|-----|-------|---------|-------|
| 40 | `src` | jarvis, truenas_admin | Source/build group; owns most shares |
| 3000 | `jumpbox` | jumpbox | Jumpbox user's primary group |
| 3001 | `bobby` | bobby | Bobby's primary group |
| 3002 | `jarvis` | jarvis | Jarvis's primary group |
| 544 | `builtin_administrators` | N/A | Windows-style admin group (lab-dash ACL) |
| 545 | `builtin_users` | N/A | Windows-style users group (lab-dash ACL) |
---
## 5. Best Practices Assessment
### ✅ Positive Findings
1. **No guest SMB access** — all shares require authentication
2. **SSH enabled, password auth disabled** (implied by key-based fleet access)
3. **FTP/iSCSI/SNMP disabled** — reduces attack surface
4. **Both pools healthy** — no degradation or errors
5. **Custom users for different purposes** — separation of concerns (jumpbox vs bobby vs jarvis)
6. **ACL enabled on some shares** — ISOs, lab-dash, arr-zimaos use explicit ACLs
7. **Proxmox NFS shares restricted to LAN** — good network segmentation for VM/CT storage
### ⚠️ Areas for Improvement
1. **POSIX 777 on 5 SMB shares** — overly permissive; consider:
- `chmod 770` for shares that only need SMB group access
- `chmod 755` for read-only shares (Archive, ISOs, Repo)
2. **NFS shares 1-4 open to all networks** — high risk:
- Add `192.168.0.0/18` restriction to all shares
- Consider even narrower subnets per share purpose
3. **No root squash on NFS** — root clients have full server root access:
- Set `Maproot User = nobody` on all NFS shares
- This is standard security practice for NFS
4. **hermes_agent share** — POSIX 751 but owner is `apps:apps`:
- Verify `apps` user is expected to own this directory
- Consider if `jarvis` or `bobby` should also have access
5. **Backup share has 777 + everyone RWX** — anyone with SMB can modify backups:
- Restrict to `src` group only (`chmod 770`)
- Remove `other` write permissions
6. **Repo share has 777 + everyone RWX** — code repository is world-writable:
- Restrict to `src` group or narrower
- Consider read-only for most users
---
## 6. Recommendations (No Changes Made)
### Immediate Priority
| Priority | Action | Shares Affected |
|----------|--------|-----------------|
| 🔴 High | Restrict NFS networks to `192.168.0.0/18` | Archive, Backup, ISOs, Repo |
| 🔴 High | Enable root squash on all NFS shares | All 7 NFS shares |
| 🟡 Medium | Tighten POSIX permissions on SMB shares | Backup, Repo (777 → 770) |
| 🟡 Medium | Verify ACL effectiveness on ISOs/lab-dash/arr-zimaos | ISOs, lab-dash, arr-zimaos |
| 🟢 Low | Document share ownership model | All shares |
### Suggested POSIX Changes (Review Before Applying)
```bash
# Backup — restrict to src group only
chmod 770 /mnt/Ice/Backup
# Repo — restrict to src group only
chmod 770 /mnt/Ice/Repo
# Archive — read-only for group
chmod 750 /mnt/Ice/Archive
# ISOs — read-only for group
chmod 750 /mnt/Ice/ISOs
```
### Suggested NFS Changes (Review Before Applying)
```bash
# Add network restrictions to open shares
# In TrueNAS UI: Sharing → NFS → Edit each share
# Set Networks = 192.168.0.0/18
# Enable root squash
# Set Maproot User = nobody
```
---
## 7. Access Matrix
### Who Can Access What
| User | SMB | NFS (LAN) | Primary Shares |
|------|-----|-----------|----------------|
| `bobby` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
| `jarvis` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
| `jumpbox` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
| `truenas_admin` | ❌ No | ✅ Yes (root) | Full server access (admin) |
| `root` (remote) | N/A | ✅ Root = Root ⚠️ | Full server access via NFS |
---
*End of Report — No changes were made to the TrueNAS configuration.*
Reference in New Issue View Git Blame Copy Permalink